Part 2 of 3 : Nice email – Subject: Employee Documents – Internal Use

As the title suggest, this is the continuation of my investigation into a malicious Dyre email that I received a while back. If you did not see my initial post (and mind you, first blog about malware analysis), then you can find that here. The other thing that I am going to do is use a new tool created by Omri Herscovici called CapTipper. For more information about this tool, check out his page here.

Last time, I had clicked the link and had received the file that was masked as a PDF but was really an executable and ran that. One of the artifacts that was left from that run was a file called informix.exe as you can see below:

Now let’s see what happens when I run this file on my VM and what Security Onion comes back with.

So after clicking on the above EXE, I did see that there was outbound traffic from the VM. And very quickly I saw a file being written the to %TEMP% folder and then deleted (along with the Informix.exe file too). I was not able to make a copy of this file as you can see here:

So with a saved PCAP file from this run in hand, I fired up CapTipper to start the analysis:

The above command takes the PCAP and starts off by looking at what “conversations” have been established (from what it looks like this is synonymous with the tcp.stream in Wireshark). As we can see, there was not many conversations from this malware sample. This is also further substantiated by typing ‘host’ at the command line:

The pages from the IP 202.153.35.133 (conversations 4, 6, and 7) don’t seem to load anything since CapTipper is saying their is no size in bytes associated with them. Doing a simple ‘head 7’ or ‘body 7’ does not yield anything. So opening the PCAP up in Wireshark I see the following associated with conversation 7:

Once again, we can see that the name of the VM is being passed to the destination server. Based on some other reading of the Dyre malware that I have done, I am assuming that this is a GET request for a script tailored to the OS the VM is running. Unfortunately nothing was returned. The only connection that seemed to be made was in conversation 5 as you can see below: